[pmwiki-users] very subtle bug in blocklist2 script
Patrick R. Michaud
pmichaud at pobox.com
Sun Sep 11 10:39:11 CDT 2005
On Sat, Sep 10, 2005 at 01:39:45AM -0400, Neil Herber wrote:
> However, on a Windoze server, pages named "Blocklist" and BlockList"
> (note cap "L") map to the same file. On my system the actual file
> name was Blocklist, but I entered BlockList in the URL, which
> retrieved the correct page, but failed on the page name match test
> inside the Blocklist2 code.
>
> This can probably be fixed with a case-insensitive comparison.
Perhaps not, because on Unix systems a case-insensitive comparison
would mean that a spammer could enter any text desired on BlockList
(with a capital 'L'), as well as "BLOCKLIST", "BlOCKLIST",
"BlOcKlIsT", etc.
(Granted, on post-beta44 versions these alternate pages would
all be blocked against edits, so it's not an issue there, but
for blocklists held in non-protected groups it could be
an issue.)
I don't have a quick solution to this problem. (Feel free to
enter it in PITS.)
Pm
More information about the pmwiki-users
mailing list